Privacy Policy

1. Background

The Australian Bone Marrow Donor Registry (referred to as “we”, “our” or “us” in this policy) provides Australia’s only Registry of volunteer bone marrow / blood stem cell donors for patients in need of a transplant. We also use the brand name ‘Stem Cell Donors Australia’ when we interact with our donors.

We are also a registered charity and an accredited member of the World Marrow Donor Association (WMDA).

This Privacy Policy sets out our commitment to protecting the privacy of personal information – including sensitive information and health information – and explains how we collect, use, store, and disclose personal information, and your rights in relation to this.

We must comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth), and other privacy laws which govern the way in which organisations hold, use and disclose personal information (including your sensitive information). We must also comply with standards published by the WMDA, which cover many aspects of our operations including donor recruitment, consenting and screening and the protection of personal data.

By providing personal information to us, you confirm that you have agreed to us collecting, using and disclosing your personal information in accordance with this policy. Note that this policy includes occasions where your personal information may be provided to us by a third party – in this case, we take reasonable measures to ensure that you have agreed to the third party organisation providing this information to us, and that the third party has appropriate policies in place to protect your personal information.

Note that this policy refers to all who have registered to donate their bone marrow / blood stem cells as ‘donors’, regardless of whether they have actually donated. We also refer to ‘patients’ up until the point of transplantation, at which point they are referred to as ‘recipients’.

2. Types of personal information we collect

Personal information is information that identifies an individual. The personal Information we collect about our donors and patients includes names and dates of birth; and (for donors only) addresses, email addresses, phone, and other contact details.

Sensitive information includes information about an individual’s ethnic origin or health information. Sensitive information that we collect about donors and patients includes ethnicity background information, health screening information and genetic or biometric information.

We also collect personal information about website visitors, employment applicants, health service professionals and other supporters.

Where reasonably practicable, we attempt to collect information directly from individuals. When we collect information, we will generally explain to the individual: why we are collecting it, who we give it to and how we will use or disclose it. Alternatively, those matters will be obvious from the circumstances.

More details on the type of personal information collected and how we collect or receive it and use it is set out below.

3. Why we collect personal information

The primary purpose for our collection of personal information is to operate our Registry, which connects patients with matching volunteer donors. This fulfils our charitable purpose of giving Australian patients needing a life-saving transplant of blood stem cells access to suitable donors. We may also collect and use personal information for secondary purposes closely related to our primary purpose, in circumstances where you would reasonably expect such use or disclosure.

If we did not collect personal information then we would not be able to process donor enrolments, operate our Registry or provide our services to patients in need. If a donor chooses not to provide the personal information we request, then we may not be able to process or maintain their enrolment on our Registry.

When we collect personal information, we will provide you with more information about the reasons for the collection and specific matters relevant to the collection. Typically, we need to collect personal information so we can do one or more of the following:

  • process donor enrolments onto our Registry
  • manage information held on our Registry (including verifying donor identities and maintaining contact information)
  • enable searches of our Registry on behalf of patients for matches with potential donors
  • enable individuals to participate in research, fundraising and awareness or education activities
  • undertake internal record keeping and administrative tasks, such as risk management, education and training of staff, and quality assurance activities (including IT system testing)
  • communicate with you
  • tell donor and patient stories and promote our life-saving work
  • gain a better understanding of our supporters and the people we reach and help
  • perform research and analysis to improve the way in which we engage with our supporters
  • comply with our legal obligations including our contractual obligations to the Commonwealth Government.

4. Donor information

4.1 Enrolment information

We hold essential donor information which enables us to do our work of finding matching donors to help save the lives of patients who need blood stem cell transplants. If you are eligible and volunteer to join the Registry to become a donor, at enrolment you will be required to provide the following information:

  • full name
  • date of birth
  • height, weight and sex
  • contact details including email address, mailing address, street address and telephone numbers
  • Medicare eligibility
  • genetic ancestry (optional).

This information will be collected directly from you via our enrolment form completed online through our website.

Other enrolment information we collect includes the results of the ‘enrolment samples’ you provide for testing your tissue type, cytomegalovirus or CMV status (which can have a critical impact on transplant outcomes) and blood type. This testing is done by:

  • our approved third-party laboratory testing the cheek swab samples you provide to us. Where this laboratory is located overseas, no identifying information will accompany your samples; however, where an Australian laboratory is used they require some identifying information (name, date of birth) to accompany the sample
  • or, if joining via Lifeblood, the blood samples you provide to Lifeblood will be tested and reported to us in accordance with Lifeblood’s policies and procedures
  • or, if you are transferring to our Registry from another registry, a report will be provided from the transferring registry.

Collecting your enrolment test results is important for us to take the first step of identifying if you are a potential match for a patient.  Occasionally, we identify that a donor’s enrolment results are insufficiently detailed; in which case we will ask the donor to provide additional enrolment samples so their initial results can be updated or supplemented.

At enrolment, we assign each donor a unique identification number and only this number and your enrolment test results are visible to those searching for a donor.

4.2 Additional information

If you are identified as a potential match for a patient, we will need to collect additional personal and sensitive information from you and extend and verify the recruitment test information, to allow the patient’s medical team to further assess the match and likely success of donation to the patient.

Additional information collected from you at this stage may include:

  • health and recent travel history
  • personal and family health history information to determine the likelihood of the presence of a range of infectious diseases and genetic predispositions
  • blood samples which will undergo repeat tissue type, blood type and CMV status laboratory testing
  • blood samples which will undergo laboratory testing for a range of infectious diseases including HIV and hepatitis
  • venous access examination reports from health service providers.

We only collect this additional information once you agree to providing your information directly to us (e.g. by answering our health questions) and:

  • providing blood samples at a Lifeblood donation centre – these samples are managed as follows:tissue type test samples are sent (without identifying information) for testing at the laboratory nominated by the patient’s medical team, and these laboratories will then report the results to us; and
  • all other samples are retained by Lifeblood (with identifying information) and tested for infectious diseases and blood type, and reported to us in accordance with Lifeblood’s policies and procedures
  • and/or providing additional cheek swab samples to us, which we de-identify and send for testing at laboratories approved by us, and these laboratories will report the results to us.

We only collect or receive this additional information after the donor has given consent for us to collect or receive this information.

We share this information on a de-identified basis with transplant centres in Australia and other registries around the world. If you proceed to donation, the additional information will also be shared (along with your identity) with your work-up provider.

4.3 Work-up information

If, based on the additional information, you are selected as a patient’s best match then you will be asked to attend a “work-up”.  This involves attending an appointment with a medical practitioner associated with a suitable collection centre (‘work-up provider’) who will be responsible for deciding, together with you, your suitability for donation. The work-up provider will request that you provide further personal and sensitive information, provide further blood samples which they will send for testing at their chosen laboratory, and undergo physical examinations.

Before your appointment, we will ask you to re-confirm some or all of the additional information you provided. This additional information will be collected and shared as per section 4.2 above.

The work-up information collected by your work-up provider will be managed in accordance with your work-up provider’s own policies and procedures. They must share with us the information necessary for us to progress the donation process, including test results and their assessment and findings. The work-up information shared with us will be used in accordance with this policy and may include sharing on a de-identified basis with a patient’s medical team.

4.4 Collection and post-donation information

If you and your work-up provider approves the donation of your blood stem cells, you will proceed to the collection stage.  This stage will involve undergoing a medical procedure in a suitable hospital collection centre and will include further collection of personal, health and sensitive information as part of the procedure.  In a small number of cases, you may be asked to attend a second (subsequent) medical procedure at the same hospital days or weeks after the first procedure, to provide additional cells to the patient.

Each collection centre has its own hospital policies and procedures including in connection with the use and collection of personal information (including health information).  Information necessary for us to manage the first and (if requested) subsequent donation process will be shared with us by the collection centre and the patient’s medical team and used by us in accordance with this policy. This may include sharing identified collection information with a patient’s medical team.

Following donation to a patient, we will contact you to ask about your health and wellbeing. If there are any concerns, we will discuss these with you and may refer you to an appropriate health service provider. The information you provide us at this stage may be shared with your work-up provider. You will also be asked to see your general practitioner (GP) for follow-up and we will ask your GP to perform some blood tests and provide us with a report on your health.  This will allow us to identify any medical issues that may have arisen due to the donation.

For decades, we and other registries around the world have been collecting long-term information on the health of donors who have made donations. This long-term data provides registries and their donors with assurance about the long-term safety of the donation and recovery processes. This long-term process also checks if you have had any other medical issues emerge that may affect the recipient, given that the recipient now ‘shares’ your blood. Once a year, for 10 years following your donation, you will be asked to participate in this long-term data collection process by answering a short questionnaire. Your answers will be de-identified and reported in aggregate to Australian and global medical researchers.

4.5 Donor retirement from the registry

Donors can retire from the Registry for a number of reasons e.g. reaching the maximum donor age, the withdrawal of consent, the donor being deemed medically unfit to donate or refusing a donation request. Regardless of the reason for retirement, once retired a donor’s de-identified enrolment test results will no longer be available for new patient searches. However, our management of a retired donor’s information depends on whether the donor had donated their blood stem cells.

Where a donor had made a blood stem cell donation, their information is linked to that of the recipient, and will be retained by us indefinitely. Where a retired donor had not made a blood stem cell donation, their de-identified enrolment test results will still appear in historical patient search records, until such time as we are notified that the patient search records can be disposed.

5. Patient (and recipient) information

We provide a volunteer donor search service for Australian patients, which involves our extensive network of cooperative relationships with international registries from over 50 countries. When a patient’s transplant team accesses this search service, they must provide patient information to enable us to administer the search process, including the provision of funding for the search. The search service only exchanges de-identified patient information with international registries.

Each transplant centre has its own hospital policies and procedures including in connection with the use and collection of personal information (including health information).  Information necessary for us to manage the patient’s search process will be shared with us by the transplant centre (which may include third parties that are part of the patient’s medical team) and used by us in accordance with this policy. This includes sharing de-identified patient information with international registries to allow them to search their databases for a suitable donor.

The patient information shared with us by the patient’s transplant team may include:

  • the patient’s name, date of birth, gender
  • treating health service provider details
  • blood and tissue type
  • relevant diagnoses or other clinical information that contributes to identifying whether a donor is a suitable match
  • Medicare eligibility
  • applications for funding for international searches (which we administer on behalf of the Commonwealth)
  • progress reports following transplant and information about the recipient’s recovery. This information may contribute to a subsequent donation request and may be shared on a de-identified basis with the patient’s donor.

Frequently, patient searches are paused while other treatment options are pursued; these searches may be re-instigated at a later point. Further, following a transplant, the recipient may require subsequent donations from the same or a different donor. Hence, once we receive patient information, it will be retained indefinitely unless and until a specific request is received from the patient’s medical team for the patient’s search to be cancelled (and records disposed) due to their death.

We require strict donor-recipient anonymity be maintained before and after the transplant, to protect the welfare of both parties and preserve the altruism of the donation. However, we also recognise that donors and recipients may wish to communicate with each other directly. We will facilitate the exchange of donor and patient identifying information where authorisation to do so has been provided by each party. International privacy laws may limit our ability to facilitate direct contact with overseas donors or recipients.

Sometimes we are requested by a patient’s transplant team to identify if a family member is a suitable blood stem cell match and/or to facilitate the collection of a family member’s blood stem cells (“related donor”). In those circumstances, we require the related donor to enrol on the Registry to ensure that we can provide the requested services. However, we may, with the related donor’s permission, disclose the related donor’s name and contact information to the patient’s transplant team and health service providers, which may include the relevant international registry and laboratories.

6. Other information we hold and use

6.1 Website visitors

When you use or access our website you may provide your name, contact details or other personal information/ data. This may be done via:

  • Contact Us – for general public and supporters
  • Update donor details – for donors; or
  • logging into our network as an existing Health Professional or new Health Professional.

When you contact us via these channels we will use your personal information for the purpose for which you have contacted us, this will typically be to:

  • send tailored information about blood stem cell donation and our Registry to you;
  • respond to a direct query or request you make;
  • enable you as an enrolled donor to update your contact information for our Registry; or
  • enable Health Professionals to provide information to us about a recipient for matching.

Our website uses cookies and other technologies which hold some data about your use of our website.  During your visit on our website, we will collect log information via cookies and other technologies including your IP address. The data we collect about your use of our website may be provided via industry-standard Google Analytics and other content delivery network and web security services. The information is not stored as personally identifiable information but may be used to enable us to improve the usability of our website and customise web page experiences based on user preferences.

6.2 Health professionals

Only authorised health professionals can access our Registry.  Authorisation may involve the health professional’s employer verifying their personal information and that they have a genuine reason for accessing the network. We will use the personal information collected about health professionals to:

  • enable the appropriate exchange of donor and recipient information for searching and matching as well as for follow-up and monitoring after donation.
  • send tailored information to health professionals about blood stem cell donation and our work; or
  • respond to direct queries or requests made.
6.3 Emergency contacts for donors

At the Work-up stage, we will ask donors for the details of persons nominated as their emergency contact. This will be noted on the donor’s record.

6.4 Employment applications

We collect information from job applicants which is necessary to assess their application. This includes collecting personal information such as a job applicant’s name, address and contact details, professional experience, qualifications, references and past employers, and any other information which is necessary to process a job application.

7. Disclosure to authorised third parties

Sections 4 to 6 above identify the various disclosures to third parties made by us in relation to donor and patient information. In addition, we may disclose the personal information we collect to:

  • third party service providers contracted to us, where required for the purpose of enabling them to provide their services – including IT service providers; data storage, webhosting and server providers and marketing service providers. This may include parties located, or that store data, outside of Australia.
  • our insurers, but only to the extent necessary and permitted by law;
  • courts, tribunals, regulatory authorities and law enforcement officers as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights;
  • third parties that collect and process website data on our behalf, such as Google Analytics. This may include parties located, or that store data, outside of Australia; and
  • third party research organisations, where consent from the individual has been obtained and the research is approved (where applicable) by us and our approved Human Research Ethics Committee.

Third party organisations are subject to our security, access, confidentiality and privacy protection arrangements, and must only use your personal information for the purposes for which it was provided.  Overseas registries are subject to privacy standards equivalent to those that we are required to comply with and are bound by the WMDA’s Data Use Agreement.

Where possible your information will be shared with these organisations on a de-identified basis. Your name and contact information will not be provided to third party organisation unless they are providing a health service to you.  We only disclose your sensitive information for the purposes for which you gave it to us or for directly related purposes you would reasonably expect or if you agree.

We will not provide sensitive information, such as health information, for any marketing purpose and we will never sell your personal information.

8. How we store personal information

We are committed to ensuring that the personal information we collect is secure.

To prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the personal information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure.

We maintain donor and recipient records for as long as reasonably required for the purposes of the safety of donors and recipients, and to comply with health records laws and privacy laws.

9. What are my rights?

9.1 Access and correction

You have a right to request access to your own personal information.  You also have a right to request its correction if you consider it is incorrect.

To protect your personal information from being disclosed to the wrong person, we have processes in place to ensure that your identity is confirmed as well as the information that you are requesting.

To request access to your personal information, please send the following information to our Privacy Officer at our published address:

  • your name, date of birth, address and telephone contact details; and
  • an outline of the information you are requesting access to; and
  • a certified copy of a form of proof of identity (i.e. Australian birth certificate; or Australian citizenship certificate; or current Australian drivers’ licence, passport or government issued proof of identity card); and
  • your signature confirming your request.

We will try to respond to your request within 30 days but the time to respond can vary depending upon the information requested and the number of requests received. If you can be as specific as possible about the information requested this assists in collating and providing the information. In certain circumstances, we are allowed to deny or limit the access we provide; if so, we’ll let you know in writing our reasons.

Once we receive your request and confirm your identity, the copy of the proof of identity will be destroyed.

If you believe any personal information we are holding is incorrect or incomplete please contact our Privacy Officer at our published address.

9.2 Opting out or unsubscribing

To unsubscribe from our marketing database or opt out of marketing communications please use the opt out facilities provided in the communication. Note that unsubscribing from some communications will not be possible – such as receiving requests for additional information or requests for contact information to be updated.

9.3 Complaints

If you believe that we have breached the Australian Privacy Principles and wish to make a complaint, please contact our Privacy Officer at the above address, setting out the details of the alleged breach. Your complaint will be promptly investigated and we will respond to you, in writing, setting out the outcome of the investigation and the steps we have taken or will take to deal with your complaint.

If you are not satisfied with our response you can refer your complaint to the Office of Australian Information Commissioner.

10. Review and amendments

We may, at any time, vary this Privacy Policy by publishing an amended Privacy Policy on our websites.  It is recommended that you check our websites regularly to ensure you are aware of the current Privacy Policy